| Name of executable as Unicode string, truncated after 29 code units, if necessary, and terminated by U+0000. As it appears in the prefetch file file name.

+

| The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.

|-

|-

| H6

| H6

Line 57:

Line 57:

|4

|4

|DWORD

|DWORD

−

|The prefetch hash, as it appears in the pf file name.

+

|The prefetch hash. This hash value should correspond with the one in the prefetch file filename.

At the end of the section there seems to be alignment padding that can contain remnant values.

+

+

== Section D - Volume information (block) ==

Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.

Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.

In this section, all offsets are assumed to be counted from the start of the D section.

In this section, all offsets are assumed to be counted from the start of the D section.

+

+

=== Volume information - version 17 ===

+

The following values are version dependent. Below the structure for format version 17.

{| class="wikitable"

{| class="wikitable"

Line 241:

Line 266:

|}

|}

+

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

+

== See Also ==

+

* [[Prefetch]]

−

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.

H6

0x004C

4

DWORD

The prefetch hash. This hash value should correspond with the one in the prefetch file filename.

Section C

At the end of the section there seems to be alignment padding that can contain remnant values.

Section D - Volume information (block)

Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.

In this section, all offsets are assumed to be counted from the start of the D section.

Volume information - version 17

The following values are version dependent. Below the structure for format version 17.

Field

Offset

Length

Type

Notes

DH1

+0x0000

4

DWORD

Offset to volume string (Unicode, terminated by U+0000)

DH2

+0x0004

4

DWORD

Length of volume string (nr of characters, including terminating U+0000)

DH3

+0x0008

8

FTIME

(File time)

DH4

+0x0010

4

DWORD

Volume serial number of volume indicated by volume string

DH5

+0x0014

4

DWORD

? Offset to section DHS1

DH6

+0x0018

4

DWORD

? Length of section DHS1 (in bytes)

DH7

+0x001C

4

DWORD

? Offset to section DHS2

DH8

+0x0020

4

DWORD

? Nr of strings in section DHS2

?

+0x0024

?

?

? additional 28 bytes (includes one timestamp?)

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).